24 lines
1.0 KiB
Plaintext
24 lines
1.0 KiB
Plaintext
=== What is the potential impact?
|
|
|
|
When a JSON Web Token is not appropriately signed with a strong cipher
|
|
algorithm or if the signature is not verified, it becomes a significant threat
|
|
to data security and the privacy of user identities.
|
|
|
|
==== Impersonation of users
|
|
|
|
JWTs are commonly used to represent user authorization claims. They contain
|
|
information about the user's identity, user roles, and access rights. When these
|
|
tokens are not securely signed, it allows an attacker to forge them. In essence,
|
|
a weak or missing signature gives an attacker the power to craft a token that
|
|
could impersonate any user. For instance, they could create a token for an
|
|
administrator account, gaining access to high-level permissions and sensitive
|
|
data.
|
|
|
|
==== Unauthorized data access
|
|
|
|
When a JWT is not securely signed, it can be tampered with by an attacker, and
|
|
the integrity of the data it carries cannot be trusted. An attacker can
|
|
manipulate the content of the token and grant themselves permissions they should
|
|
not have, leading to unauthorized data access.
|
|
|